sudo permissions for jenkins

David Caro dcaroest at redhat.com
Thu Jul 25 18:04:41 UTC 2013


On Tue 23 Jul 2013 10:48:46 PM CEST, Ewoud Kohl van Wijngaarden wrote:
> On Tue, Jul 23, 2013 at 04:27:08PM -0400, Mike Burns wrote:
>> I have a task that is currently not allowed due to the current sudo
>> rules.  I need to be able to run the edit-node tool to generate
>> ovirt-node isos containing vdsm.  This tool requires root or sudo
>> access.
>>
>> The problem is that I'm extracting the tool from it's rpm since it's
>> generated in a different jenkins job.  The execution is done with a
>> command like this:
>>
>> sudo ${WORKSPACE}/edit-node <options>
>>
>> AFAIK, this can't be handled in the sudoers file in any easy way.
>>
>> Any suggestions?  Or maybe simply enable universal passwordless sudo?
>
> I was wondering the same thing in http://gerrit.ovirt.org/17261. Since
> we already give permission to yum and cp to /etc/yum.repos.d, it's not
> hard to get some package to install extra sudo rules for yourself and
> have full sudo.
> _______________________________________________
> Infra mailing list
> Infra at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/infra

Yep, but we need it in order to be able to run the jobs, if we don't 
want to setup a complicated permission system.

I agree with quaid, we can just add ssh access for us and give full 
sudo acces to the jenkins user and our users, afaik the only sensible 
information that is there is the hashed password for admin users in the 
shadowfile, but if we allow passwordless sudo to our users too we do 
not need to setup any password in the system (that means changes in the 
users class too btw).


--
David Caro

Red Hat Czech s.r.o.
Continuous Integration Engineer - EMEA ENG Virtualization R&D

Tel.: +420 532 294 605
Email: dcaro at redhat.com
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
RHT Global #: 82-62605



More information about the Infra mailing list